Canada's Mandatory Breach Notification Rules Now in EffectOrganizations Must Comply With Data Breach Reporting Requirements or Face Fines
Private sector organizations in Canada must now report all serious data breaches to the country's privacy watchdog.
As of Nov. 1, new provisions in the country's Personal Information Protection and Electronic Documents Act came into force, which include mandatory tracking of all data breaches by all organizations, large and small. Such records must be stored for at least two years.
Since 2001, Canada's PIPEDA privacy law has applied to private sector organizations. "The act ... sets out rules that organizations must follow when collecting, using or disclosing personal information in the course of their commercial activities," according to a Canadian government overview. "The Office of the Privacy Commissioner (OPC) enforces PIPEDA by overseeing whether organizations are complying with the act's obligations."
Over the last three years, however, Parliament has been tweaking PIPEDA to add mandatory breach notification (see: Preparing for PIPEDA).
"The number and frequency of significant data breaches over the past few years have proven there's a clear need for mandatory reporting," says Canadian Privacy Commissioner Daniel Therrien.
"Mandatory breach reporting and notification will create an incentive for organizations to take security more seriously and bring enhanced transparency and accountability to how organizations manage personal information," says Therrien, who has served in his role since June 5, 2014.
Organizations are now required to alert the OPC to any data exposure, as well as if they have failed to put appropriate measures in place. "A breach of security safeguards is defined in PIPEDA as: the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization's security safeguards ... or from a failure to establish those safeguards," the OPC's guidance reads.
Organizations must keep a report of all breaches, but only need to report breaches "that pose a real risk of significant harm, and to keep records of all breaches of security safeguards," the OPC says. But the privacy commissioner can request these reports at businesses at any time.
In terms of the potential number of victims, there is no reporting threshold. "Whether a breach of security safeguards affects one person or a 1,000, it will still need to be reported if your assessment indicates there is a real risk of significant harm resulting from the breach," the OPC says. Organizations must also directly notify affected individuals.
"If a breach triggers notification due to a real risk of significant harm, 'any government institutions or organizations that the organization believes ... may be able to reduce the risk of harm ... or mitigate the harm' resulting from the breach must also be notified," according to an analysis of the new rules published by the cybersecurity and privacy practice at global law firm Hunton Andrews Kurth LLP.
An organization is also responsible for reporting any security breaches that involve data that is "under its control," according to the new rules.
Hunton says the OPC has clarified that statement in its final guidance. "In general, when an organization (the 'principal') provides personal information to a third-party processor (the 'processor'), the principal may reasonably be found to be in control of the personal information it has transferred to the processor, triggering the reporting and record-keeping obligations of a breach that occurs with the processor," the law firm notes.
"On the other hand, if the processor uses or discloses the same personal information for other purposes, it is no longer simply processing the personal information on behalf of the principal; it is instead acting as an organization 'in control' of the information, and would thereby have the obligation to notify, report, and record."
Takeaway: Organizations must assess all breaches on a case-by-case basis, as well as ensure they have the right contractual obligations in place to ensure that any third parties that handle its data take appropriate steps to secure it, Hunton says.
Violators May Be Fined
Cases involving organizations that violate the PIPEDA breach-reporting guidelines may be referred by the OPC to the office of the attorney general of Canada, which may decide to prosecute.
"The OPC does not prosecute offenses under PIPEDA or issue fines," OPC says. "What the OPC can do is refer information relating to the possible commission of an offense to the attorney general of Canada, who would be responsible for any ultimate prosecution."
Organizations that deliberately fail to report a data breach to authorities will be subject to a fine of up to CAN$100,000 (US$76,000). Organizations that deliberately fail to notify any data breach victim will be subject to a separate fine of up to $100,000 for every individual. Finally, "deliberately failing to keep, or destroying data breach records will also be an offense, subject to a fine of up to $100,000," according to a government overview of the new requirements.
Commissioner Slams 'Superficial' Approach
Therrien, Canada's privacy commissioner, has described the new data breach reporting requirements as "imperfect but a step in the right direction."
"He has raised concerns that the reporting requirements fall short in that, for example, they don't ensure that breach reports to his office provide the information necessary to assess the quality of organizations' safeguards," according to OPC. "As well, the government has not provided the privacy commissioner's office with resources to analyze breach reports, provide advice and verify compliance. As a result, the office's work will be somewhat superficial and the regime will be less effective in protecting privacy."
That language echoes a privacy report Therrien submitted to Parliament in September.
Privacy Rights in the GDPR Era
To be sure, the OPC is seriously underpowered in comparison with enforcement of the EU's General Data Protection Regulation. The data protection authorities in each of the 28 EU member states enforce GDPR.
Organizations that fail to comply with GDPR's privacy requirements face fines of up 4 percent of their annual global revenue or €20 million ($23 million), whichever is greater. Organizations that fail to comply with GDPR's reporting requirements also face a separate fine of up to €10 million ($13 million) or 2 percent of annual global revenue (see: GDPR Effect: Data Protection Complaints Spike).
So far, however, Parliament has not made any substantive moves to beef up the OPC.
The privacy commissioner would be given the power to fine rule breakers up to $30 million under a private member's bill sponsored by Liberal MP Nathaniel Erskine-Smith, who is a vice chair of the Commons privacy committee, CTV News reports.
But such bills rarely become law, in part because very little time is allocated in Parliament to discuss or advance any private member's bill.